Hi All-
A couple of newb questions here as I have been using Encase Forensics for a total of five days and while I am learning a lot on my own but I need some help with my planned workflow.
I am using a trial version of Encase Forensics and testing its features for use as an ediscovery collection tool.
Without the license dongle, I can still use encase in acquisition mode. When collecting data from custodians in remote offices, I plan to ship a USB hard drive with a copy of the encase program files folder on it so that I can use Forensics in acquisition mode. I would then start the acquisition over a WebEx session. How does this sound? Is this a terrible idea to collect from the computer that is running Forensics? I ask because it seems that the normal way to do an acquisition with just the custodian's computer is to first boot to a cd or usb drive and stay out of the OS. This makes sense for forensic purposes, but for ediscovery is it necessary?
The trial version of Forensics does not include Fastbloc SE so I have not had the chance to use it, can it be used in acquisition mode?
Thank you very much.
Hi
Let me put my 2.5 cents in….
If I understand correctly…. you are suggesting sending a trial version of Encase software on a USB drive to a remote custodian. You will then show them over WebEx or some other remote method how to connect the USB drive to the custodian's *live and booted* computer and have the custodian (or yourself) use Encase to image their drive?
Ummm… not a good idea IMHO.
- There are too many points of failure…. the software; the custodian; you (being a newbie)
- I realize this is eDiscovery - and you will find a lot of litigation support companies and lawyers tell you that its ok to get targeted data from a live system (instead of doing a physical image of a system that has been shut down) - Get that in writing! 3 months down the road, you will be asked why you (as the expert) didn't do a physical image of a down-system and you will need to defense your position by saying you suggested it but were overruled in writing. There will also be times when "Just get the User folder" turns into "Crap… the user saved data in a folder on the root and now it's been deleted." There is an old saying…. "If it's not in writing, it did not happen…"
- Do you know the size of the drives? Do you know how long it will take to image? Will your WebEx stay active for that whole x-hours? If not, will you have to reconnect *while the acquisition is in process*?
Being that you are new to this (and please don't take this the wrong way….) and being that this looks like a real case
- I would look for a local examiner to image those drives and send you the image. Have them make 2 copies on separate drives and send you one copy. Once you receive the copy and validate it, the local guy can destroy the second one.
- If you don't want to get a local FE involved, at the least, I would have the client invest in copies of Encase Portable (http//
Seriously…. if this is your first foray into forensics, you definitely do not want to jump into it with a remote acquisition via webex, using a trial version of Encase etc etc etc… )
Hope this helps… there are others on here that may chime in with their opinions too. Good Luck!
Best
-=Art=-
PS Have you used FTK Imager? Free from Access Data. )
Art,
Thank you for the good advice. No offense taken, I'm a total noob at this stuff and appreciate your comments.
We are not using a trial version for an actual real world acquisition. We are just using a trial version for testing the workflow to see if what we have in mind is going to work. We will be purchasing a licensed version of Forensics if this all works out.
The idea of using Webex was just to kick off the acquisition job for the custodian. I don't anticipate needing to be connected the entire collection time. Perhaps another way is to create some sort of boot usb drive or boot cd, but I would prefer a process that makes it easy on the custodian and wouldn't involve a lot of clicking on their part and if we can see what is oging on their screen or even punching in the settings ourselves all the better. In order to do this we need the custodian's machine to be booted into Windows.
After running some searches on the forums last night, I learned that what I am really asking about is the integrity of doing live acquisitions. It sounds like FE's do acquisitions from down-systems, which makes total sense, but then Encase and F-Response allow live acquisitions on booted up Windows computers and collections using those tools are not necessarily bad.
Greetings,
Live acquisitions, remote WebEx collections, and even custodian self-collection are normal in ediscovery.
I'd not use EnCase Forensic as a remotely operated tool, though. It is overkill, and overly complicated, for the task. FTK Imager is more appropriate. You can remotely operate it, and, if necessary, remotely walk a local IT person through using it.
If you want to automate the remote collection, there are a variety of options, though I'd go with EnCase Portable, particularly if you're already using EnCase.
-David
Thanks kovar. I did not mention this, but we need to create LEF files which is why we chose Encase over FTK. Since everyone is talking about FTK Imager maybe we should look at that too. A quick Google search shows that FTK Imager can create E01 files.
What if we use FTK Imager to create the E01's and then open the E01 in Encase to create the LEF? I believe LEF is proprietary to Encase so we are going to need a Forensics license regardless of the program that does the actual colection, but if FTK Imager is a better tool for doing these remote collections because it is more user friendly then we should try it also. Thanks for the suggestions everyone.
..as kovar mentioned, EnCase Portable makes it rather foolproof (it's plug and play) and would likely be your best bet both due to ease of use and portability.
..as kovar mentioned, EnCase Portable makes it rather foolproof (it's plug and play) and would likely be your best bet both due to ease of use and portability.
Would you recommend booting off the Portable drive or using it to do a live acquisition? Portable offers both options.
Each encase portable license is pretty pricey and we would need five or more at any given time….which is why using Forensics Acquisition Mode in conjunction with Webex sessions to configure Encase for the custodian seemed like a good low cost option. A foolproof system like Encase portable sounds really attractive too, but foolproof won't be cheap if we need to buy five licenses.
As mentioned encase portable is extremely easy to use. Depending on your scenario….. If you can boot to portable to acquire the whole disk. check out you tube for som videos of portable functionality
Also EnCase ships with a tool called winacq (find it in the install folder for encase). This runs from the command Line of a running windows machine and can be used to acquire a physical disk or logical volume!!!
Just a couple of thoughts
hommy0 - Winacq looks very good. Thank you.